Listen now:

Download now:

Chet Chat episode 107 shownotes:

Last week Chester was in Boston, so we offered our condolences to the people of that city, and made some choice remarks about what we thought of the scammers who leapt on the stories so quickly to try to add computer injury to physical and emotional pain.

Hostgator, a Texas server hosting comany, was hacked by an insider who made off with an SSH key and allegedly set about stealing data after getting fired. We noted the poetic justice of how investigators dealt with the intruder when they spotted a him in the middle of a hack, and were able to use his TCP session "in reverse" to catch him. They came up with enough evidence of wrongdoing to lead to his arrest. Hostgator had kept the sort of logs that made the investigation possible, and we were of the opinion that you should do the same.

Apple updated Safari with an "allow/deny" dialog for Java applets. We weren't 100% happy with a solution that requires yet more technically-informed decision making by users in real time, but we pointed out that it's a better middle ground than just having Java on or off. Many Naked Security readers have shared their pain at wanting to throw Java out of their browser but being unable to do so for unavoidable legacy reasons.

A presentation at the Hack In The Box conference in Amsterdam about the security of in-flight control software on commercial aircraft got lots of publicity recently. We reminded you that the claims you may have heard implying that almost anyone with an Android phone could overpower a plane at will aren't quite the conclusions you should draw.

We discussed the "Cover Feed" parts of the new Facebook Home offering, which is a replacement for the lock screen that effectively leaves your phone in a partially-unlocked state in which other people's Facebook posts pop up even if you're not there. Not only that, but you - or someone near your phone - can Like those posts without unlocking the device. We aren't convinced this is a good idea, and we thought you should stick to the leanest, meanest, cleanest lock screen you can tolerate.

• Stop by and meet the team

Finally, since Chester's in London right now, he invited anyone attending this week's Infosecurity Europe in Earls Court to stop by at the Sophos booth and say, "G'day!"

I have used the function in the opera web browser which asks you to enable any type of plugin on every website. I use java for one online game which is soon creating a html5 version so I will soon be able to disable the web plugin and just use java for minecraft standalone applet. On another note I updated java on one of my lesser used machines and one of the messages told me that installing java 7 would uninstall java 6 for me. I cannot believe it has taken this long for oracle to remove old insecure versions of java.
For quite a long time abobe has removed older versions of reader when you install the new one.

I have worked on tons of systems for my customers which have java 5 and multiple versions of java 6.I feel that major oems are not helping by installing all these applications which may or may not be needed by their customers.

IIRC (at least on OS X) only the most recently-installed browser plugin will be used, so if you update from 1.6 to 1.7, say (Apple-to-Oracle version or Oracle-to-Oracle version) you will by default use the latest plugin with the latest Java Runtime in your browser.http://javatester.org/ will tell you what plugin version , if any, is the one that will be activated when you visit an applet...

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog